Three Tiers of Risk for Cyber Espionage in 2017

by Jesse Sampson

January 11, 2017

access_time 9 min read

With all the controversy surrounding Russian hacking, is it time for security professionals to freak out about cyber espionage? Since the objectives of any cyber espionage campaign dictate its targets, ZiftenLabs can help answer this question by diving into the reasons why states conduct these campaigns.

Last Friday, the three major US intelligence agencies released a comprehensive statement on Russia’s activities related to the 2016 US elections: Assessing Russian Activities and Intentions in Recent US Elections (Activities and Intentions). While some skeptics remain unconvinced by the new report, the risks identified by the report that we cover in this post are compelling enough to demand examination and reasonable countermeasures — in spite of the near-impossibility of incontrovertibly identifying an attack’s source. Of course, the official Russian position has been winking denial of hacks.

“Usually these kinds of leaks take place not because hackers broke in, but, as any professional will tell you, because someone simply forgot the password or set the simple password 123456.”   German Klimenko, Putin’s top Internet adviser

While agencies get panned for bureaucratic language like “high confidence,” the considered rigor of briefings like Activities and Intentions contrasts with the headline-friendly “1000% certainty” of a mathematically-disinclined media hustler like Julian Assange.

Activities and Intentions is most perceptive when it locates the use of hacking and cyber espionage in “multifaceted” Russian doctrine:

“Moscow’s use of disclosures during the US election was unprecedented, but its influence campaign otherwise followed a longstanding Russia messaging strategy that blends covert intelligence operations — such as cyber activity — with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or “trolls.””

The report is weakest when assessing the motives behind the doctrine, a.k.a. strategy. Aside from some incantations about inherent Russian hostility to the liberal democratic order, it claims that:

“Putin most likely wanted to discredit Secretary Clinton because he has publicly blamed her since 2011 for inciting mass protests against his regime in late 2011 and early 2012, and because he holds a grudge for comments he almost certainly saw as disparaging him.”

A more nuanced examination of Russian motivations and their cyber manifestations will help us better plan security strategy in this environment. ZiftenLabs has identified three major strategic imperatives at work.

A more nuanced examination of Russian motivations and their cyber manifestations will help us better plan security strategy in this environment.

First, as Kissinger would say, through history “Russia…came to see itself as a beleaguered outpost of civilization for which security could be found only through exerting its absolute will over its neighbors (52)”. US policy in the Bill Clinton era threatened this imperative due to the expansion of NATO and dislocating economic interventions, perhaps contributing to a Russian preference for a Trump presidency. Russia has used cyberwarfare tactics to protect its influence in former Soviet territories (Estonia, 2007Georgia, 2008Ukraine, 2015).

Second, President Putin wants Russia to be a great force in geopolitics again. “Above all, we should acknowledge that the collapse of the Soviet Union was a major geopolitical disaster of the century,” he said in 2005. Hacking identities of prominent individuals in political, academic, defense, technology, and other institutions that operatives could leak to embarrassing or scandalous effect is an easy way for Russia to discredit the US. The perception that Russia can influence election outcomes in the US with a keystroke impugns the legitimacy of US democracy, and muddles discussion around similar issues in Russia. With other prestige-boosting efforts like leading the ceasefire talks in Syria (after leveling many cities), this strategy could improve Russia’s international profile.

Finally, President Putin may harbor concerns about his job security. In spite of extremely favorable election results, according to Activities and Intentions, protests in 2011 and 2012 still loom large in his mind. With several regimes changing in his neighborhood in the 2000s and 2010s (he called it an “epidemic of disintegration”), some of which came about as a result of intervention by NATO and the US, President Putin is wary of Western interventionists who wouldn’t mind a similar outcome in Russia. A coordinated campaign could help discredit rivals and put the least hawkish candidates in power.

In light of these reasons for Russian hacking, who are the likely targets?

Due to the overarching goals of discrediting the legitimacy of the US and NATO and helping non-interventionist candidates where possible, government agencies, particularly those with roles in elections are at highest risk. So too are campaign organizations and other NGOs close to politics like think tanks. These have provided softer targets for hackers to gain access to sensitive information. This means that organizations with account information for, or access to, prominent individuals whose information could result in embarrassment or confusion for US political, business, academic, and media institutions must be extra careful.

The next tier of risk comprises critical infrastructure. While recent Washington Post reports of a compromised US electrical grid turned out to be overblown, Russia really has hacked power grids and maybe other parts of physical infrastructure like oil and gas. Beyond critical physical infrastructure, technology, finance, telecoms, and media could be targeted as took place in Estonia and Georgia.

Finally, although the intelligence agencies work over the past weeks has caught some heat for presenting “obvious” recommendations, everyone really would benefit from the tips presented in the Homeland Security/FBI report, and in this blog about hardening your configuration by Ziften’s Dr. Al. With major elections coming up this year in critical NATO members Germany, France, and The Netherlands, only one thing is certain: it will be a busy year for Russian cyber operators and these recs should be a top priority.